overview of the sponge duplex and farfalle constructions
play

Overview of the Sponge, Duplex and Farfalle constructions Gilles Van - PowerPoint PPT Presentation

Aug 22, 2022 •27 likes •907 views

Overview of the Sponge, Duplex and Farfalle constructions Gilles Van Assche 1 1 STMicroelectronics Summer school on real-world crypto and privacy ibenik, Croatia, June 2019 Based on joint work with Elena Andreeva, Guido Bertoni, Joan Daemen,

  1. Overview of the Sponge, Duplex and Farfalle constructions Gilles Van Assche 1 1 STMicroelectronics Summer school on real-world crypto and privacy Šibenik, Croatia, June 2019 Based on joint work with Elena Andreeva, Guido Bertoni, Joan Daemen, Seth Hoffert, Bart Mennink, Michaël Peeters, Ronny Van Keer 1 / 59

  2. Outline The duplex construction Deck functions and modes Farfalle The full-state keyed duplex construction The outer keyed sponge and duplex constructions Keyed applications 4 The sponge construction 1 Unkeyed applications 3 Why permutation-based cryptography? 2 Modern generic security Hashing requirements Security notions for hashing 2 / 59

  3. Security notions for hashing The sponge construction Deck functions and modes Farfalle The full-state keyed duplex construction The outer keyed sponge and duplex constructions Keyed applications 4 The duplex construction Unkeyed applications Outline 3 Why permutation-based cryptography? 2 Modern generic security Hashing requirements Security notions for hashing 1 3 / 59

  4. Security notions for hashing The sponge construction Deck functions and modes Farfalle The full-state keyed duplex construction The outer keyed sponge and duplex constructions Keyed applications 4 The duplex construction Unkeyed applications Hashing requirements 3 Why permutation-based cryptography? 2 Modern generic security Hashing requirements Security notions for hashing 1 Outline 4 / 59

  5. Security notions for hashing Hashing requirements … Applications 5 / 59 Cryptographic hash functions h : { 0 , 1 } ∗ → { 0 , 1 } n I n p u t me s s a g e D i g e s t Signatures : sign RSA ( h ( M )) instead of sign RSA ( M ) Key derivation : master key K to derived keys ( K i = h ( K ∥ i )) Bit commitment , predictions : h ( what I know ) Message authentication : h ( K ∥ M )

  6. Security notions for hashing Hashing requirements … Applications 5 / 59 Cryptographic hash functions h : { 0 , 1 } ∗ → { 0 , 1 } n I n p u t me s s a g e D i g e s t Signatures : sign RSA ( h ( M )) instead of sign RSA ( M ) Key derivation : master key K to derived keys ( K i = h ( K ∥ i )) Bit commitment , predictions : h ( what I know ) Message authentication : h ( K ∥ M )

  7. Security notions for hashing Hashing requirements … Applications 5 / 59 Cryptographic hash functions h : { 0 , 1 } ∗ → { 0 , 1 } n I n p u t me s s a g e D i g e s t Signatures : sign RSA ( h ( M )) instead of sign RSA ( M ) Key derivation : master key K to derived keys ( K i = h ( K ∥ i )) Bit commitment , predictions : h ( what I know ) Message authentication : h ( K ∥ M )

  8. Security notions for hashing Hashing requirements … Applications 5 / 59 Cryptographic hash functions h : { 0 , 1 } ∗ → { 0 , 1 } n I n p u t me s s a g e D i g e s t Signatures : sign RSA ( h ( M )) instead of sign RSA ( M ) Key derivation : master key K to derived keys ( K i = h ( K ∥ i )) Bit commitment , predictions : h ( what I know ) Message authentication : h ( K ∥ M )

  9. Security notions for hashing Hashing requirements Generalized: extendable output function (XOF) “XOF: a function in which the output can be extended to any length. ” [Ray Perlner, SHA-3 workshop 2014] Applications Signatures : full-domain hashing, mask generating function Key derivation : as many/long derived keys as needed 6 / 59 h : { 0 , 1 } ∗ → { 0 , 1 } ∗ Stream cipher : C = P ⊕ h ( K ∥ nonce )

  10. Security notions for hashing Hashing requirements Modern security requirements Hash or XOF h with n -bit output Modern security requirements h behaves like a random mapping … up to security strength s Classical security requirements, derived from it Preimage resistance Second-preimage resistance Collision resistance 7 / 59 2 min ( n , s ) 2 min ( n , s ) 2 min ( n / 2 , s )

  11. Security notions for hashing The sponge construction Deck functions and modes Farfalle The full-state keyed duplex construction The outer keyed sponge and duplex constructions Keyed applications 4 The duplex construction Unkeyed applications Modern generic security 3 Why permutation-based cryptography? 2 Modern generic security Hashing requirements Security notions for hashing 1 Outline 8 / 59

  12. Security notions for hashing Modern generic security Generic security: indistinguishability 9 / 59 Adversary D must tell apart the ideal function: a monolithic random oracle RO construction S [ F ] calling an ideal primitive F Express Pr ( success |D ) as a function of total cost of queries N Problem: in real world, F is available to adversary

  13. Security notions for hashing Modern generic security Generic security: indistinguishability 9 / 59 Adversary D must tell apart the ideal function: a monolithic random oracle RO construction S [ F ] calling an ideal primitive F Express Pr ( success |D ) as a function of total cost of queries N Problem: in real world, F is available to adversary

  14. Security notions for hashing Modern generic security Generic security: indifferentiability [Maurer et al. (2004)] Applied to hash functions in [Coron et al. (2005)] additional interface, covered by a simulator at right 10 / 59 distinguishing mode-of-use from ideal function ( RO ) covers adversary with access to primitive F at left

  15. Security notions for hashing Modern generic security Generic security: indifferentiability [Maurer et al. (2004)] Methodology: 10 / 59 build P that makes left/right distinguishing diffjcult prove bound for advantage given this simulator P P may query RO for acting S -consistently: P [ RO ]

  16. Security notions for hashing Modern generic security Generic security: indifferentiability [Maurer et al. (2004)] 10 / 59 � D RO , P [ RO ] )� ( D S [ F ] , F ) ( Adv ( q ) = − Pr � ≤ ϵ ( q ) � � � Pr

  17. Security notions for hashing Modern generic security Consequences of indifferentiability do pre-image attack Can be generalized to any attack 11 / 59 Let D : n -bit output pre-image attack. Success probability: for random oracle: P pre ( D|RO ) = q 2 − n for our construction: P pre ( D|S [ F ]) = ? A distinguisher D with Adv ( q ) = P pre ( D|S [ F ]) − P pre ( D|RO ) if success, conclude our construction; otherwise, RO But we have a proven bound Adv ( q ) ≤ ϵ ( q ) , so P pre ( D|S [ F ]) ≤ P pre ( D|RO ) + ϵ ( q )

  18. Security notions for hashing Modern generic security Consequences of indifferentiability [Andreeva, Mennink, Preneel, ISC 2010] 12 / 59

  19. Security notions for hashing Modern generic security Limitations of indifferentiability Only about the mode No security proof with a concrete primitive Only about single-stage games [Ristenpart et al., Eurocrypt 2011] Example: hash-based storage auditing 13 / 59 Z = h ( File ∥ C )

  20. Security notions for hashing Modern generic security Limitations of indifferentiability Only about the mode No security proof with a concrete primitive Only about single-stage games [Ristenpart et al., Eurocrypt 2011] Example: hash-based storage auditing 13 / 59 Z = h ( File ∥ C )

  21. Why permutation-based cryptography? The sponge construction Deck functions and modes Farfalle The full-state keyed duplex construction The outer keyed sponge and duplex constructions Keyed applications 4 The duplex construction Unkeyed applications Outline 3 Why permutation-based cryptography? 2 Modern generic security Hashing requirements Security notions for hashing 1 14 / 59

  22. Why permutation-based cryptography? Symmetric crypto: what textbooks and intro’s say Symmetric cryptography primitives: Block ciphers Key stream generators Hash functions And their modes-of-use Picture by GlasgowAmateur 15 / 59

  23. Why permutation-based cryptography? The truth about symmetric crypto today Block ciphers: 16 / 59

  24. Why permutation-based cryptography? What block cipher are used for Hashing (Davies-Meyer) and its modes HMAC, MGF1, … Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … 17 / 59

  25. Why permutation-based cryptography? Block cipher operation 18 / 59

  26. Why permutation-based cryptography? Block cipher operation: the inverse 19 / 59

  27. Why permutation-based cryptography? When do you need the inverse? Indicated in red: Hashing and its modes HMAC, MGF1, … Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … Most schemes with misuse-resistant claims So for most uses you don’t need the inverse! 20 / 59

  28. Why permutation-based cryptography? Block cipher internals 21 / 59

  29. Why permutation-based cryptography? Davies-Meyer compression function 22 / 59

  30. Why permutation-based cryptography? Removing restrictions not required in hashing 23 / 59

  31. Why permutation-based cryptography? Simplifying the view: iterated permutation 24 / 59

  32. Why permutation-based cryptography? Designing a permutation Remaining problem: design of iterated permutation round function: good approaches known asymmetry: round constants Advantages with respect to block ciphers: no more need for effjcient inverse no more worries about key schedule 25 / 59 less barriers ⇒ more diffusion

Recommend

Full-duplex without Strings: Enabling Full- duplex with Half-duplex Clients Karthikeyan

Full-duplex without Strings: Enabling Full- duplex with Half-duplex Clients Karthikeyan

Full-duplex without Strings: Enabling Full- duplex with Half-duplex Clients Karthikeyan Sundaresan, Mohammad Khojastepour, Eugene Chai, Sampath Rangarajan NEC Labs America MobiCom 2014 Full-duplex Transmitting + receiving on same time-

327 views • 21 slides
Modern Session Encryption David Wong outline 3. NOISE 2. STROBE 4. ??? 1. KECCAK Sponge

Modern Session Encryption David Wong outline 3. NOISE 2. STROBE 4. ??? 1. KECCAK Sponge

Modern Session Encryption David Wong outline 3. NOISE 2. STROBE 4. ??? 1. KECCAK Sponge Construction 00101 01001 01100 11001 01011 10101 0 0 0 0 f f f f f 0 0 0 0 absorbing squeezing Duplex Construction input

808 views • 60 slides
Ret Retaine ined Sponge Sponge Most common retained surgical item that requires a

Ret Retaine ined Sponge Sponge Most common retained surgical item that requires a

Ret Retaine ined Sponge Sponge Most common retained surgical item that requires a re-operation Detection can be difficult and remote from the initial operation The sponge must be removed Primary problem is faulty OR

570 views • 26 slides
Outline Introduction Full-duplex system Cooperative system Cooperative full-duplex

Outline Introduction Full-duplex system Cooperative system Cooperative full-duplex

Cooperative versus Full-Duplex Communication in Cellular Networks : A Comparison of the Total Degrees of Freedom Amr El-Keyi and Halim Yanikomeroglu Outline Introduction Full-duplex system Cooperative system Cooperative full-duplex

306 views • 17 slides
Wireless Communication Systems @CS.NCTU Lecture 14: Full-Duplex Communications Instructor: Kate

Wireless Communication Systems @CS.NCTU Lecture 14: Full-Duplex Communications Instructor: Kate

Wireless Communication Systems @CS.NCTU Lecture 14: Full-Duplex Communications Instructor: Kate Ching-Ju Lin ( ) 1 Outline Whats full-duplex Self-Interference Cancellation Full-duplex and Half-duplex Co-existence

1.37k views • 47 slides
DUPLEX Stainless Steel John Grocki 2012 What are Duplex Stainless Steels ? A family of

DUPLEX Stainless Steel John Grocki 2012 What are Duplex Stainless Steels ? A family of

A Primer for DUPLEX Stainless Steel John Grocki 2012 What are Duplex Stainless Steels ? A family of stainless steels whose: structures are approximately 50/50 austenite and ferrite physical properties are a combination of the

907 views • 51 slides
Pipes! Files read() write() Creating pipes Half-Duplex Pipes Full-Duplex Pipes What is a

Pipes! Files read() write() Creating pipes Half-Duplex Pipes Full-Duplex Pipes What is a

Pipes! Files read() write() Creating pipes Half-Duplex Pipes Full-Duplex Pipes What is a File in Unix / Linux S t a n d a r d E r r o r Hardware Devices s e i l F x t e T Kitchen Sink

324 views • 8 slides
Treatment performance of practical-scale down-flow hanging sponge reactor using sixth-generation

Treatment performance of practical-scale down-flow hanging sponge reactor using sixth-generation

13 th IWA Specialized Conference on Small Water and Wastewater Systems, 14-16 September 2016, Athens, Greece Treatment performance of practical-scale down-flow hanging sponge reactor using sixth-generation sponge media Tsutomu Okubo*, Akinori

366 views • 33 slides
Full Duplex Radios Daniel J. Steffey Source Full Duplex Radios* ACM SIGCOMM 2013 Dinesh

Full Duplex Radios Daniel J. Steffey Source Full Duplex Radios* ACM SIGCOMM 2013 Dinesh

Full Duplex Radios Daniel J. Steffey Source Full Duplex Radios* ACM SIGCOMM 2013 Dinesh Bharadia Emily McMilin Sachin Katti *All source information and graphics/charts 2 Problem It is generally not possible for radios to receive and

705 views • 28 slides
Practical, Real-time, Full-Duplex Wireless Mayank Jain, Jung Il Choi, Taemin Kim, Dinesh

Practical, Real-time, Full-Duplex Wireless Mayank Jain, Jung Il Choi, Taemin Kim, Dinesh

Practical, Real-time, Full-Duplex Wireless Mayank Jain, Jung Il Choi, Taemin Kim, Dinesh Bharadia, Kannan Srinivasan, Siddharth Seth, Philip Levis, Sachin Katti, Prasun Sinha September 22, 2011 1 What full-duplex 2 What full-duplex ...

1.18k views • 103 slides
Host Device USB 1.0/1.1 USB 2.0 USB 3.0

Host Device USB 1.0/1.1 USB 2.0 USB 3.0

Host Device USB 1.0/1.1 USB 2.0 USB 3.0 USB 3.1 USB 3.2 1.5/12 MBits/s 480 MBits/s 5 GBits/s 10 GBits/s 20 GBits/s Half duplex Half duplex Full duplex 2006 2016 1996 1998 2000

527 views • 35 slides
Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with

Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with

Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with Peter Gai (IST Austria) wr0ng Paris, April 30, 2017 The Sponge Construction [BDP V A08] M {0,1}* M 1 M 2 M L r-bit blocks: r 0 H (M)

820 views • 42 slides
Generic security of the Keyed Sponge based on joint work with Guido Bertoni 1 , Michal Peeters 1

Generic security of the Keyed Sponge based on joint work with Guido Bertoni 1 , Michal Peeters 1

Generic security of the Keyed Sponge Generic security of the Keyed Sponge based on joint work with Guido Bertoni 1 , Michal Peeters 1 , Gilles Van Assche 1 , ArcticCrypt Longyearbyen July 19, 2016 1 / 30 Joan Daemen 1 , 2 Elena Andreeva 3

602 views • 33 slides
Full Duplex Radios ROHIT KUMAR 2 Types of Communication Simplex Data can be transferred only

Full Duplex Radios ROHIT KUMAR 2 Types of Communication Simplex Data can be transferred only

Full Duplex Radios ROHIT KUMAR 2 Types of Communication Simplex Data can be transferred only in one direction. Half Duplex Data can be transferred in both directions but not simultaneously. Full Duplex Data can be

282 views • 12 slides
Duplex Ultrasound Evaluation Duplex Ultrasound Evaluation Reversed Trendelenberg position on

Duplex Ultrasound Evaluation Duplex Ultrasound Evaluation Reversed Trendelenberg position on

4/14/2016 Disclosures: Speaker honorarium for W.L. Gore When Do You Need to Treat and Associates, 9/2015. Venous Perforators?.. and How to Do It David Rigberg, MD Professor and Program Director Division of Vascular Surgery University of

196 views • 5 slides
Chapter 9: Passive Constructions Syntactic Constructions in English Kim and Michaelis (2020)

Chapter 9: Passive Constructions Syntactic Constructions in English Kim and Michaelis (2020)

Chapter 9: Passive Constructions Syntactic Constructions in English Kim and Michaelis (2020) Syntactic Constructions Chapter 9 1 / 43 Introduction 1 2 The Relationship between Active and Passive Approaches to Passive 3 From Structural

597 views • 43 slides
x ? ? ? ? computation easy One Way Hash Function (OWHF) h h h h h

x ? ? ? ? computation easy One Way Hash Function (OWHF) h h h h h

ECRYPT Bart Preneel Emerging Topics in Cryptographic Design and Cryptanalysis Generic Constructions 30 April- 4 May 2007, Samos Greece for Iterated Hash Functions Outline Generic Constructions Generic Constructions for Iterated Hash

759 views • 10 slides
Towards Optimal Constructions of Towards Optimal Constructions of Dynamically Corrected Quantum

Towards Optimal Constructions of Towards Optimal Constructions of Dynamically Corrected Quantum

Second International Conference on Quantum Error Correction University of Southern California, Dec. 5-9 2011 Towards Optimal Constructions of Towards Optimal Constructions of Dynamically Corrected Quantum Gates Dynamically Corrected Quantum

700 views • 25 slides
Chapter 7: Raising and Control Constructions Syntactic Constructions in English Kim and Michaelis

Chapter 7: Raising and Control Constructions Syntactic Constructions in English Kim and Michaelis

Chapter 7: Raising and Control Constructions Syntactic Constructions in English Kim and Michaelis (2020) Syntactic Constructions Chapter 7 1 / 48 Raising and Control Predicates 1 2 Differences between Raising and Control Verbs Subject

635 views • 48 slides
Numerical Results of Novel Half-Duplex Relaying Protocols Nikola Zlatanov University of British

Numerical Results of Novel Half-Duplex Relaying Protocols Nikola Zlatanov University of British

Numerical Results of Novel Half-Duplex Relaying Protocols Nikola Zlatanov University of British Columbia (UBC), Canada Joint work Robert Schober, Vahid Jamali, and Pater Popovski Nikola Zlatanov Numerical Results of Novel Half-Duplex Relaying

225 views • 4 slides
Task 3 - Vulnerability and damageability of constructions under impact and explosion Florea Dinu

Task 3 - Vulnerability and damageability of constructions under impact and explosion Florea Dinu

COST C26 Final Conference: Urban Habitat Constructions under Catastrophic Events Naples, Italy, 16-18 September 2010 WG3 - Impact and explosion resistance Task 3 - Vulnerability and damageability of constructions under impact and

787 views • 36 slides
Chapter 11: Relative Clause Constructions Syntactic Constructions in English Kim and Michaelis

Chapter 11: Relative Clause Constructions Syntactic Constructions in English Kim and Michaelis

Chapter 11: Relative Clause Constructions Syntactic Constructions in English Kim and Michaelis (2020) Syntactic Constructions Chapter 11 1 / 54 Introduction 1 Nonsubject Wh-Relative Clauses 2 3 Subject Relative Clauses That-Relative

684 views • 54 slides
The Data Link Layer Bits are just bits. With only a physical layer, System A has no way to tell

The Data Link Layer Bits are just bits. With only a physical layer, System A has no way to tell

32 PART I Networking Basics weather station. More realistic devices use duplex mode , where all systems can send or receive with equal facility. This is often further distinguished as half-duplex (the system can send and receive, but not at the

161 views • 13 slides
About the SKP Group About the SKP Group Integrated Business Model Ferro Alloys, Sponge

About the SKP Group About the SKP Group Integrated Business Model Ferro Alloys, Sponge

About the SKP Group About the SKP Group Integrated Business Model Ferro Alloys, Sponge Iron, Billets, TMT Bars, Stainless Steel, Power, Coal Mining. One of the largest producers of High Carbon Ferro Chrome, Silico Manganese,

638 views • 39 slides

More recommend